By only allowing the sink in the state where encryption v1 is used, we
can handle the new case where the order of attribute assignment is
flipped.
However, we get a few too many paths because we can have multiple
sources reaching the same sink... let's fix in next commit.
Since we can analyze operator.py from Python3, but not in Python 2
(since it's implemented in C), we get a difference for the index tests.
note: `operator.length_hint` is only available in Python 3.4 and later,
so would always fail under Python 2.
Adjusted `tracked.ql`
- no need to annotate results on line 0
this could happen for global SSA variables
- no need to annotate scope entry definitons
they look a bit weird, as the annotation goes on the
line of the function definition.
type tracking and the API graph.
- In `TypeTrackerSpecific.qll` we add a jump step
- to every scope entry definition
- from the value of any defining `DefinitionNode`
(In our example, the definition is the class name, `Users`,
while the assigned value is the class definition, and it is
the latter which receives flow in this case.)
- In `LocalSources.qll` we allow scope entry definitions as local sources.
- This feels natural enough, as they are a local source for the value, they represent.
It is perhaps a bit funne to see an Ssa variable here,
rather than a control flow node.
- This is necessary in order for type tracking to see the local flow
from the scope entry definition.
- In `ApiGraphs.qll` we no longer restrict the result of `trackUseNode`
to be an `ExprNode`. To keep the positive formulation, we do not
prohibit module variable nodes. Instead we restrict to the new
`LocalSourceNodeNotModule` which avoids those cases.
This is a condensed versio of the user reported example
found [here](eb377d5918/app.py (L278))
The `MISSING` annotation indicates where our API graph falls short.
this illustrates that the function implementing
the comprehension does not capture `mod_local`.
We could handle this case specially, by having
a different implementation for `for`, but the
wider issue would remain.
this concept was due to my confusion between
TLS and SSL23, but they are aliases.
We might want to bring back the concept if we model DTLS.
Also, model what exactly creations allow,
bring this back from the unrestrictions they used to be.
We accept the changes regarding sources being reported differently.
This is a bit of an edge case, but allowed. Since we currently don't
provide information on positional only arguments, we can't do much to
solve it right now.
